System Infected: Infostealer.Limitail Activity 68

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic related to Infostealer.Limitail

Additional Information

When the Trojan is executed, it copies itself to the following location: %UserProfile%\Application Data\Microsoft\SysAudio.exe

Next, it creates the following folder: C:\Documents and Settings\Administrator\Application Data\Microsoft\Backups

The Trojan then takes screen shots and saves them to the following location: %UserProfile%\Application Data\Microsoft\Credentials\screen[NUMBER].png

Note: Where [NUMBER] starts at 0 and increments by 1 for each screen shot that is taken.

Next, the Trojan creates the following registry entry so that it executes whenever Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Google Updater" = "%UserProfile%\Application Data\Microsoft\SysAudio.exe"

The Trojan also records the following information: KeystrokesTitle bars of open windows The stolen information is then sent to the following location in an email format: limitlessmail.3owl.com/LimitlessEmail.php

Next, it creates the following folder: C:\Documents and Settings\Administrator\Application Data\Microsoft\Backups

The Trojan then takes screen shots and saves them to the following location: %UserProfile%\Application Data\Microsoft\Credentials\screen[NUMBER].png

Note: Where [NUMBER] starts at 0 and increments by 1 for each screen shot that is taken.

Next, the Trojan creates the following registry entry so that it executes whenever Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Google Updater" = "%UserProfile%\Application Data\Microsoft\SysAudio.exe"

The Trojan also records the following information: KeystrokesTitle bars of open windows The stolen information is then sent to the following location in an email format: limitlessmail.3owl.com/LimitlessEmail.php